[{"data":1,"prerenderedAt":216},["ShallowReactive",2],{"blog-glossary/csrf":3},{"id":4,"title":5,"body":6,"category":191,"date":192,"dateModified":192,"description":193,"draft":194,"extension":195,"faq":196,"featured":194,"headerVariant":200,"image":201,"keywords":201,"meta":202,"navigation":203,"ogDescription":204,"ogTitle":205,"path":206,"readTime":207,"schemaOrg":208,"schemaType":209,"seo":210,"sitemap":211,"stem":212,"tags":213,"twitterCard":214,"__hash__":215},"blog/blog/glossary/csrf.md","What is CSRF (Cross-Site Request Forgery)? Security Guide",{"type":7,"value":8,"toc":177},"minimark",[9,16,21,24,32,35,38,42,61,65,70,73,97,101,104,110,114,117,121,124,146,165],[10,11,12],"tldr",{},[13,14,15],"p",{},"CSRF (Cross-Site Request Forgery) tricks your browser into making requests you didn't intend. If you're logged into your bank and visit a malicious site, that site could trigger a transfer from your account. Your browser automatically includes your cookies, so the bank thinks you made the request. Prevent CSRF with tokens, SameSite cookies, and checking the Origin header.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Imagine you're logged into your bank. Then you visit a different website with this hidden image:",[25,26,28],"prompt-box",{"title":27},"Malicious HTML on attacker's site",[29,30],"img",{"src":31},"https://bank.com/transfer?to=attacker&amount=1000",[13,33,34],{},"Your browser loads the image by making that request. Since you're logged into the bank, your session cookie goes along with it. The bank sees a valid request from an authenticated user and processes the transfer.",[13,36,37],{},"You never clicked anything. You just visited a webpage. That's CSRF.",[17,39,41],{"id":40},"how-csrf-works","How CSRF Works",[43,44,45,49,52,55,58],"ol",{},[46,47,48],"li",{},"Victim logs into vulnerable-site.com",[46,50,51],{},"Victim visits attacker's page (or any site with malicious content)",[46,53,54],{},"Attacker's page triggers a request to vulnerable-site.com",[46,56,57],{},"Browser automatically includes cookies for vulnerable-site.com",[46,59,60],{},"vulnerable-site.com thinks it's a legitimate request from the victim",[17,62,64],{"id":63},"preventing-csrf","Preventing CSRF",[66,67,69],"h3",{"id":68},"_1-csrf-tokens","1. CSRF Tokens",[13,71,72],{},"Include a secret token in forms that the server validates. Attackers can't guess this token.",[25,74,76],{"title":75},"Form with CSRF token",[77,78,81,82,81,88,81,92],"form",{"action":79,"method":80},"/transfer","POST","\n  ",[83,84],"input",{"type":85,"name":86,"value":87},"hidden","csrf_token","random-secret-token",[83,89],{"type":90,"name":91},"text","amount",[93,94,96],"button",{"type":95},"submit","Transfer",[66,98,100],{"id":99},"_2-samesite-cookies","2. SameSite Cookies",[13,102,103],{},"Modern browsers support SameSite cookie attributes that restrict when cookies are sent:",[25,105,107],{"title":106},"Setting SameSite cookie",[13,108,109],{},"Set-Cookie: session=abc123; SameSite=Strict; Secure; HttpOnly",[66,111,113],{"id":112},"_3-check-originreferer-headers","3. Check Origin/Referer Headers",[13,115,116],{},"Verify that requests come from your own domain.",[17,118,120],{"id":119},"when-csrf-doesnt-apply","When CSRF Doesn't Apply",[13,122,123],{},"CSRF is mainly a concern when authentication uses cookies (automatically sent by browser). If your API uses Authorization headers with tokens (like Bearer tokens), CSRF is less of a concern because browsers don't automatically send Authorization headers.",[125,126,127,134,140],"faq-section",{},[128,129,131],"faq-item",{"question":130},"What is the difference between CSRF and XSS?",[13,132,133],{},"XSS injects malicious scripts that run in users' browsers. CSRF tricks the browser into making requests the user didn't intend. XSS exploits trust a user has in a website. CSRF exploits trust a website has in a user's browser.",[128,135,137],{"question":136},"Do I need CSRF protection for APIs?",[13,138,139],{},"If your API uses cookies for authentication, yes. If it uses Authorization headers with tokens (like Bearer tokens), CSRF is less of a concern because browsers don't automatically send Authorization headers. Modern SPAs using JWT in headers are naturally CSRF-resistant.",[128,141,143],{"question":142},"What is the SameSite cookie attribute?",[13,144,145],{},"SameSite controls whether cookies are sent with cross-site requests. SameSite=Strict only sends cookies for same-site requests. SameSite=Lax sends cookies for navigation but not for embedded content. SameSite=None sends cookies everywhere but requires Secure. Modern browsers default to Lax, providing basic CSRF protection.",[147,148,149,155,160],"related-articles",{},[150,151],"related-card",{"description":152,"href":153,"title":154},"A different attack vector","/blog/glossary/xss","XSS",[150,156],{"description":157,"href":158,"title":159},"How browsers store sessions","/blog/glossary/cookie","Cookie",[150,161],{"description":162,"href":163,"title":164},"Server-side state management","/blog/glossary/session","Session",[166,167,170,174],"cta-box",{"href":168,"label":169},"/","Start Free Scan",[17,171,173],{"id":172},"check-for-csrf","Check for CSRF",[13,175,176],{},"Scan your app for CSRF vulnerabilities.",{"title":178,"searchDepth":179,"depth":179,"links":180},"",2,[181,182,183,189,190],{"id":19,"depth":179,"text":20},{"id":40,"depth":179,"text":41},{"id":63,"depth":179,"text":64,"children":184},[185,187,188],{"id":68,"depth":186,"text":69},3,{"id":99,"depth":186,"text":100},{"id":112,"depth":186,"text":113},{"id":119,"depth":179,"text":120},{"id":172,"depth":179,"text":173},"glossary","2026-01-06","Learn what CSRF attacks are, how they trick users into unwanted actions, and how to protect your app with tokens and SameSite cookies.",false,"md",[197,198,199],{"question":130,"answer":133},{"question":136,"answer":139},{"question":142,"answer":145},"green",null,{},true,"CSRF tricks users into performing unwanted actions. Learn how to prevent it.","What is CSRF? Cross-Site Request Forgery Explained","/blog/glossary/csrf","5 min read","[object Object]","DefinedTerm",{"title":5,"description":193},{"loc":206},"blog/glossary/csrf",[],"summary_large_image","HfbC586mxxaNPSBmWRmIXOO4Z4W-A5fOiZTedWpNjoM",1775843921547]